One of my pet peeves (of which, there are many!) is a company that sets a security policy without fully understanding either what it does, what it doesn’t do, or what the unexpected side effects may be. Disabling iCloud document sync (or, in other words, blocking your access to iCloud drive, and backups) is one such policy.
Normally, your IT or security team will tell you that it’s disabled to stop your corporate data from being backed up to the cloud to which many foreign powers may or may not have open access to it. This, I’m afraid isn’t correct. Any data that has come to your device via Microsoft ActiveSync, or via a corporate app that’s flagged as a corporate app doesn’t get backed up to Apple’s iCloud servers, Apple simply doesn’t want that data, something that they have publicly stated. Yes, you can save attachments to iCloud drive as you can with OneDrive and others, and yes, if you poorly configure your corporate apps that data might be backed up, but these are both simple things to correct using other policies.
What it does do though, is stop you from using it like OneDrive, DropBox, Box and others for syncing your personal files around your devices, (fun fact, the majority of companies out there who implement this policy, dont block these other file syncing services) and more importantly, it stops all those iOS applications that use your iCloud Drive for storage to work properly (WhatsApp, Pages etc).
Security teams, if you want to fix or plug your worries about data leakage, you need to create a robust DPL policy and have the capability to enforce that without disabling features that will effect things in a much wider sense that you thought. End user experience is rarely thought about when mobile policy is implemented.
Now, back to the main point of my article, Apple are doing something about this!
You might not have picked up on this (unless you love looking at the small print), but buried in the release notes for iOS10 which came out last year was a note that some of the MDM API policies that are used by many enterprises today, will, in an upcoming release of iOS10.x (I’m hoping this is going to be iOS 10.3 to be release in beta this week) be “depreciated” (or moved) into the supervisory mode only.
Some of these include;
- Disable App installation and removal
- Disable FaceTime
- Disable Siri
- Disable Safari
- Disable iTunes
- Prohibit explicit content
- Disable iCloud documents and data
- Disable multiplayer gaming
- Disable adding GameCenter friends
Now, what this means in real terms is that for a company to enforce any of these policies on your iOS device, they will have needed to put your device into”supervisor mode”. This mode can only be enabled via your IT dept having physical access to your device to set it up, or via Apples DEP program. Both of which are costly and unlikely to apply to you.
For me, I think this is a great move, as it means that security teams will no longer be able to enforce sill policies onto iOS devices that are badly thought out and poorly implemented. Blocking iCloud documents but allowing OneDrive, Dropbox etc doesn’t fix your DPL issues. What your company is doing is stopping you from using the personal side of your device that brings us the main reason we want these devices over and above all others.
I can’t wait for iOS 10.3 to get here, once it does, I’ll be moving all my files from OneDrive to iCloud as i know then that my company can no longer enforce their misguided assessments of security policy upon me without thinking of the impact they have on my user experience.